Hacker Nation: China's Cyber Assault

A decade before Operation Aurora—China’s recent hacking spree of at least thirty-four Western companies—the Chinese government attempted to seize American computer code the old-fashioned, imperial way: by edict. The vehicle was an obscure government entity known as the State Encryption Management Commission. Its directive was that all Western encryption products in China—i.e., software, DVDs, laptops—must be registered, inspected, scrutinized, possibly downloaded, and, if necessary, confiscated. The target was Microsoft’s source code, suspected to contain a Trojan horse for U.S. intelligence. Rather than comply, Microsoft forged a rare coalition between the Japanese and American chambers of commerce in Beijing and forcefully lobbied the powerful Ministry of Information Industry, which chose to pretend the whole thing had been a sort of misunderstanding. The State Encryption Management Commission wrote a barely translatable retraction and exited the stage.

If Microsoft had left China when the Chinese government first acted, it would have dramatically threatened the creation of the world’s first Big Brother Internet. But the Western business community thought the Chinese were starting to get the picture: Modern commerce depends on free-flowing communication, secure encryption, and networks free from hackers. Western companies thought the win-win was so clear, in fact, that they did not press their momentary advantage or use the leverage they had as the force not only building but also bankrolling the Web in China. In any event, the Encryption Commission actually got what it wanted a few years later as Microsoft ultimately revealed its source code to Chinese officials, under what the company claims were controlled conditions.

A decade later, Google, apparently exhausted by Chinese government censorship, harassment, and the Gmail break-ins and network attacks of Operation Aurora, recently moved its Chinese search engine Web sites to Hong Kong servers and has made it clear that it will fully abandon the Chinese market if government pressure continues. The threat carries far less ballast this time around. True, at least one survey dared to report that Google’s departure would be seen as a grave loss by researchers across the Chinese Academy and the professional class. The flowers strewn across Google’s headquarters during the height of the break-in controversy speak eloquently of the Chinese people’s yearning for uninterrupted connectivity with the larger world. But those concerns are now considered eminently manageable by the Chinese Communist Party.

O ne unintended consequence of the Aurora hacking operation is that it appears to have galvanized, or at least accelerated, the policy articulated in Secretary of State Hillary Clinton’s remarkably ambitious January 21 speech, which combined full-throated American rhetorical support for Chinese and global Internet freedom with an implicit policy gambit: the equivalent of an arms control agreement with China on the issue of network intrusions.

Yet, compelling though it was, the bulk of Clinton’s address was wrapped in the same just-good-business arguments used to avoid real confrontation ten years earlier. Clearly the Obama administration prefers to frame Internet freedom as a financial opportunity and hacking as a law enforcement problem, couched in the familiar language of the State Department and the Foreign Affairs Ministry. However, given that China claimed a growth rate of more than eight percent GDP during the last year and boasts of 384 million users online, the spectacle of Clinton pushing business advice, so soon after pleading for bond sales, invited Chinese derision.

Clinton also demanded that the Chinese government “conduct a thorough review of the cyber-intrusions”—which might have justifiably incited derision as well from U.S. intelligence. The Chinese government created a proxy hacking system precisely so that it could deny state involvement in the matter. Don’t we have enough evidence that, at Shanghai Jiaotong University, colorful hackers and sober state security agents work in tandem? Do we need bank statements confirming recruiting and bounties financing this guerrilla force? Would the American national interest really benefit from a show trial of a Chinese hacker or two? To imply that Chinese officials cannot control patriotic hackers is laughable.

Finally, Clinton’s speech ignored the fact that while diplomacy has its imperatives, so, too, does human rights. In her address, the secretary of state managed to avoid mentioning Tibet, Falun Gong, House Christians, or the fact that, following the Uighur-Chinese riots last July, twenty million people in Xinjiang have been utterly, punitively, cut off from the Internet. Clinton seemed oblivious, moreover, to the fact—recognized by many China experts—that the Google break-in was only at best indirectly related to U.S. intelligence. My interviews with Chinese security insiders clarify the real nightmare scenario feared by the government: Sophisticated Western technology, such as advanced encryption, could end up in the hands of the Chinese Communist Party’s internal enemies. This is a fear that called the State Encryption Management Commission into being ten years ago and still haunts the party and shadows its Internet maneuvers.

H ow, specifically, should the United States improve its position? It might start by interviewing people who have worked in Chinese surveillance, such as Hao Fengjun, who defected in 2005. In a discreet setting in Melbourne, Australia, he gave me an extended account of his personal history and the development of Chinese technical intelligence methods.

Hao started off as an ambitious, young deputy head of the Heping District Public Security Bureau in 1999, the tenth anniversary of the Tiananmen Square massacre and a moment widely seen as a similar test of the party’s resolve by the Falun Gong. By December, the Chinese security apparatus had embarked on its largest operation since Maoist times.

Falun Gong was a highly visible Buddhist revival movement that had spread across class and educational lines throughout the 1990s. By the end of the decade, soldiers, members of the Public Security Bureau, and high-ranking party cadres openly populated its ranks. From a Marxist perspective, which venerated the seizure of power using the same template, this was terrifying stuff. Chinese intelligence secretly estimated that the movement had attracted seventy million followers, surpassing party membership itself. On June 10, 1999, President Jiang Zemin and Security Chief Luo Gan secretly established the “6-10 Office” as a super-agency within the Chinese security establishment. Along with monitoring Buddhist groups and House Christian sects such as Eastern Lightning, its sine qua non was the complete and final elimination of Falun Gong.

By 2000, Hao had made his way into 6-10 and enjoyed its perks: Personal command over eighteen regional public security bureaus, a lavish budget, high-end Dell computers, and unusually sophisticated software, far superior to that found in any Chinese police department at the time. Hao also discovered a thorough body of advance work, including curiously comprehensive files on the Falun Gong practitioners that the 6-10 ultimately hoped to arrest: “Every person’s specific details—including family member information, everything of everything, how many practitioners in each district, how many coordinators, et cetera . . . These things are not something that can be done and collected in just one or two years.”

Practitioners of Falun Gong thought of themselves as protected by the amorphous floating world in which they traveled—a world without membership lists, central authority, or hierarchy. Yet they were being watched, infiltrated, and studied. After the 1999 crackdown, hardcore practitioners were relentlessly persuaded, drugged, starved, or tortured into a state of “transformation”—rejecting Falun Gong in favor of the Communist Party—and discovered that they knew more names, connections, addresses, and distinguishing characteristics of their fellow congregants than they had ever realized.

Hao’s responsibility was to round up specific high-profile practitioners who had “slipped the net.” The 6-10 Office had amassed camera surveillance of the individuals, taped at various public gatherings for use in advanced facial recognition technology. “As long as we had . . . video footage of the people involved,” Hao told me, “we would be able to get their personal information from our computer system.”

Before 1999, Falun Gong practitioners hadn’t systematically used the Internet as an organizing tool. But now that they were isolated, fragmented, and searching for a way to organize and change government policy, they jumped online, employing code words, avoiding specifics, communicating in short bursts. But like a cat listening to mice squeak in a pitch-black house, the “Internet Spying” section of the 6-10 Office could find their exact location, having developed the ability to search and spy as a result of what Hao describes as a joint venture between the Shandong Province public security bureau and Cisco Systems. What emerged was a comprehensive database of people’s personal information—including 6-10’s Falun Gong lists—and a wraparound surveillance system that was quickly distributed to other provinces. The Chinese authorities called it the Golden Shield, and Hao used it on a daily basis. “As far as following practitioners,” he says, “the Golden Shield includes the ability to monitor online chatting services and mail, identifying IPs and all of the person’s previous communication, and then being able to lock in on the person’s location—because a person will usually use the computer at home or at work. And then the arrest is carried out.”

Because Hao’s responsibility ended before a practitioner was actually interrogated, he assumed that most of the graphic photos of torture victims that appeared on Falun Gong Web sites were simply clever fakes. In 2001, however, Hao accidentally walked in on a colleague who was beating a female practitioner with an iron bar. The woman’s face bore an uncanny resemblance to Hao’s mother, and Hao now recognizes this as the moment when the defection germ entered his system, although it would take another four years for the infection to become acute.

A t that time, Hao could read e-mails within China and intercept e-mails to and from overseas, but he couldn’t read overseas to overseas messages. Students, businessmen, and Chinese expats served as the party’s eyes and ears abroad. From the Chinese leadership’s perspective, however, such assets were no longer sufficient if China was to fight its way out of a defensive crouch. Thus, when the patriotic hacking movement—the Green Army followed by the Red Hacker Alliance—began its spontaneous growth, the Chinese leadership chose not to crush but to channel it. Notwithstanding the hackers’ swashbuckling self-portrayals on their Web sites, the state kept them on a leash that was slackened only for largely symbolic skirmishes with Taiwan, Indonesia, Japan, and a few high-profile defacements of American Web sites after China’s Belgrade embassy was bombed. When State Security became aware that the hacktivists planned a major assault on American networks in 2002, the movement was temporarily shut down by the Chinese leadership, which was not ready for a potential confrontation.

However, as the internal war with Falun Gong dragged on, and as its overseas practitioners kept bringing graphic results of torture to the attention of the international legal system, the party felt that it had no choice but to widen the campaign. According to Hao, this explains why the first examples of hacking leading to widespread, sustained network disruption outside China were not aimed at the Pentagon or Wall Street. China’s first prolonged “denial of service” attack—essentially exhausting the bandwidth capability of a Web site until it becomes unavailable—was carried out from servers in Beijing and Shenzhen against Clearwisdom.net, the main Falun Gong practitioner site, hosted by servers in North America. The technical signature suggested a primitive, neophyte army; on the American side, not long after the attacks took place, the origin was traced directly back to the address of the Public Security Bureau in Beijing.

China’s operational landscape widened. In 2004, a car full of Falun Gong legal-activist practitioners on their way to serve papers against party officials in Pretoria, South Africa, was strafed in a drive-by shooting on a highway outside of the Johannesburg airport. Break-ins and vandalism at the Hong Kong and Taipei offices of a Falun Gong–associated newspaper, Epoch Times, followed. In 2006, the North American Falun Gong system administrator was rolled up in a carpet and beaten while mainland agents ransacked the files and computers in his suburban Atlanta home.

The 6-10 Office also created fake refugees—young, trained to mimic Falun Gong behavior, and holding paperwork confirming time spent in laogai, China’s penal system. “No matter how clever the Australian or the American government is,” Hao told me, “they have no way to distinguish the real [Falun Gong refugees] and the police officers.” To create friction between dissident groups, the refugee-bots planted themselves in dissident media centers in New York and Washington. Even if many were ultimately unmasked, they created havoc for internal network security.

This picture was confirmed in my conversations with Han Guang-sheng, a former chief of the Justice Bureau in the city of Shenyang who had spent most of his time working in a labor camp overcrowded with Falun Gong practitioners. When I interviewed him in Toronto in 2007, he confirmed that State Security had shifted its attention toward the overseas Falun Gong threat. Yet he also felt that the shift was not just about defeating Falun Gong, but about widening China’s internal wars into the Chinese diaspora and generating a campaign to turn anyone of Chinese blood into a de facto supporter of the Chinese Communist Party.

I also talked to Chen Yonglin, who was a Chinese diplomat based at the Sydney consulate until 2005, when he suddenly requested protection from the Australian government. We met in a private home in the suburbs eighteen months later. Careful and media-savvy, Chen began by authenticating his point that there were a thousand or more Chinese agents on Australian soil and then went on to explain that the vast majority were employed not to go after military technology, but to monitor Falun Gong and other dissidents in the Chinese communities of Melbourne and Sydney.

Judging from the witnesses I interviewed in the United States, Canada, Australia, and the United Kingdom, these sorts of Chinese infiltration activities never met with any particular governmental or intelligence-operational resistance in the West. It was as if the battle for the Chinese diaspora had already been ceded. In the United States in particular, the intelligence community was clearly distracted by terrorism, and pacified by occasional Chinese military and intelligence cooperation on terrorist networks, even if the information given was sketchy and unclassifiable.

With no one blocking them, Chinese hackers began carrying out successful denial-of-service attacks in Taiwan in 2004. When, in 2005, the so-called “Titan Rain” attacks began on military contractors, the U.S. Departments of Defense and State, and NASA, the subject of Chinese hackers finally began to receive wide press attention, but no explicit U.S. action or sanctions appeared to follow. The rest of the world began to pay attention following the revelations of the “Ghostnet” attacks (from 2007 to early 2009), which featured impressive break-ins of government centers around the world, including the Dalai Lama’s government in exile. But no international sanctions or penalties appeared. In the analytical aftermath, the attacks were subtly downplayed. The Chinese hackers’ methods were understood; U.S. intelligence officials shrugged.

But if these attacks were portents of a new, confident, and aggressive China, the party was still looking inward. By 2007, traditional fears over Internet social networking inside China (combined with a fear of color revolutions) were stirred anew by a series of incidents: a strong uptick in nationwide “mass disturbances”—i.e., riots, followed by the Tibet uprising and then revelations of shoddy schoolhouse construction in the wake of the Sichuan earthquake. In preparation for the Olympics, officials shut down social networking sites, and rounded up dissidents of all stripes. Most Chinese citizens assumed these measures would be temporary. But many have turned out to be permanent. Even in Aurora, it is possible to see traces of the party’s anxiety: According to Google, the Gmail break-ins (which may indeed have been facilitated by employees) were not aimed at individuals with military or business connections, but at Chinese journalists and Western human rights activists.

While I don’t use Gmail, Yahoo’s lawyers recently informed me that there had been a “rare” and “unusual” security breach into my e-mail account. That is consistent with the smash-and-grab of files in my car while I was interviewing Falun Gong practitioners in Montreal, and the questioning and forced deportation of my research assistant when he tried to enter Hong Kong. He was recently on a tour bus in Montreal with Falun Gong members who discovered that their tires had been carefully slashed to induce blowouts when the bus had reached highway speed.

The State Department doesn’t even bother tracking these sorts of incidents, but it is a positive development that they are showing concern over Chinese military and commercial opportunism, and Chinese spying and network intrusions. Perhaps Aurora did not threaten the best-kept secrets of the Pentagon, but some people in intelligence recognize that it puts the United States back in the World War II convoy position, essentially buying ten ships of network protection for every hacker U-boat. But while the party has discovered that the best defense against China’s internal problems is a good offense—and therefore has little interest in the deal offered by Clinton for an arms control agreement on Internet intrusions—there is another, final reason for the explosion in Chinese hacking, and it contains the key to a successful American counter-strategy.

P arlaying technical skill, first-hand knowledge of how Chinese engineers had laid out the Internet, and canny understanding of the Public Security Bureau and Chinese users, Falun Gong expats looked for cracks in the firewall, places where the Golden Shield did not patrol carefully enough to prevent intrusion. Over the years, these practitioners created a massive wormhole called DynaWeb, a place where any Chinese user with minimal technical skill could leave the surveillance Internet behind, and then surf and communicate freely. DynaWeb was soon joined by other discrete practitioner systems such as Ultrareach and FreeGate, creating the Global Internet Freedom Consortium. The consortium’s staff was purposely kept small. But they held a lot of cards—essentially a series of proxy systems that could be played in lightning succession, confusing and counteracting the Chinese censors. They also held doomsday programs which could, in a crisis, light up China’s network like a Christmas tree—a fact that also deterred physical visits from outriders for Chinese State Security.

Just before Iran’s post-election demonstrations last summer, the consortium wrote up an introductory page in Farsi that Iranian authorities could not dislodge. The consortium is presently the major conduit for uncensored news and information in and out of Iran. Ultimately its system also allows well over half a million Chinese users a day to surf freely and set up their own wormholes (I’m currently in communication with some of these mainland users), and it could easily support exponentially more.

The consortium’s unprecedented capability to defeat hackers and censors alike is well understood at the State Department, yet while Clinton referenced “brave citizen journalists in Iran,” the consortium did not get a mention in her recent speech. Perhaps this is because the State Department has heard the party’s unequivocal message that anything associated with Falun Gong is non-negotiable. In its present limited and somewhat obtuse form, however, the State Department’s Internet freedom initiative is also non-negotiable.

It may be in the wider business interests of both the United States and China to have certain Internet rules of the road, yet it is fundamentally misleading for the State Department to present an open Internet as a win-win for the Chinese people, Chinese commerce, and the Chinese Communist Party. The party has things to hide—another twenty percent increase in the number of “mass incidents” in 2009, live organ harvesting of political and religious prisoners, and other skeletons that rattle persistently in its closet. And we have accumulated a decade of evidence that the party has no inhibitions about using a controlled Internet as a base camp, both to threaten the West and to achieve China’s strategic goals.

The State Department can translate the Internet freedom initiative into any Chinese phrase it likes, but it can’t stop the party by edict. Only if the state’s internally controlled Internet is threatened will China come to the bargaining table. The State Department has pledged funding to “enable citizens to exercise their rights of free expression by circumventing politically motivated censorship.” Will it award the money to groups with poor track records, and high burn rates? Or will the funding go to the consortium, the party’s nightmare, an internally created enemy with the means and motive to shatter China’s Big Brother Internet?

At the end of our interview, Hao Fengjun, the former 6-10 officer, spoke of the Chinese people’s prospects: “We’ve got the power from the overseas Falun Gong, the pro-democracy and other organizations. But only America can make it happen, make China realize democracy and freedom. Only America can help China to reach that goal.”

Ethan Gutmann is the author of Losing the New China. He lives in London and is completing a history of the clash between Falun Gong and the Chinese state.